NVD Vulnerability Detail

CVE-2026-6965

Summary	The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to and including 3.9.9. This is due to the `get_course_id_by()` function unconditionally trusting the user-supplied `course` GET parameter as the authoritative course ID for content ownership lookups, which is then consumed by `can_user_manage()`, the plugin's sole authorization gate for instructor-level operations, causing it to evaluate instructor membership against the attacker-controlled course rather than the course that actually owns the target content object. This makes it possible for authenticated attackers, with instructor-level access and above, to perform unauthorized operations on any other instructor's course content, including permanently deleting lessons, assignments, quizzes (with cascading deletion of all student attempt data), topics, announcements, and Q&A threads, as well as creating or modifying lessons, topics, and announcements in victim courses, manipulating student quiz grades, and reading unpublished lesson and quiz content.
Publication Date	May 13, 2026, 3:16 p.m.
Registration Date	May 15, 2026, 4:19 a.m.
Last Update	May 13, 2026, 11:43 p.m.

CVSS3.1 : MEDIUM
スコア	5.3
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
攻撃元区分(AV)	ネットワーク
攻撃条件の複雑さ(AC)	低
攻撃に必要な特権レベル(PR)	不要
利用者の関与(UI)	不要
影響の想定範囲(S)	変更なし
機密性への影響(C)	なし
完全性への影響(I)	低
可用性への影響(A)	なし

Related information, measures and tools

No	URL	refsource
1	https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Ajax.php#L294	security@wordfence.com
2	https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Ajax.php#L507	security@wordfence.com
3	https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Ajax.php#L586	security@wordfence.com
4	https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Announcements.php#L105	security@wordfence.com
5	https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Course.php#L1997	security@wordfence.com
6	https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Course.php#L2045	security@wordfence.com
7	https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Lesson.php#L186	security@wordfence.com
8	https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Lesson.php#L243	security@wordfence.com
9	https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Lesson.php#L341	security@wordfence.com
10	https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Q_And_A.php#L219	security@wordfence.com
11	https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Q_And_A.php#L297	security@wordfence.com
12	https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Q_And_A.php#L339	security@wordfence.com
13	https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Quiz.php#L1007	security@wordfence.com
14	https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Quiz.php#L1041	security@wordfence.com
15	https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Quiz.php#L888	security@wordfence.com
16	https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Utils.php#L7829	security@wordfence.com
17	https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.7/classes/Utils.php#L8020	security@wordfence.com
18	https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Ajax.php#L294	security@wordfence.com
19	https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Ajax.php#L507	security@wordfence.com
20	https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Ajax.php#L586	security@wordfence.com
21	https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Announcements.php#L105	security@wordfence.com
22	https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Course.php#L1997	security@wordfence.com
23	https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Course.php#L2045	security@wordfence.com
24	https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Lesson.php#L186	security@wordfence.com
25	https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Lesson.php#L243	security@wordfence.com
26	https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Lesson.php#L341	security@wordfence.com
27	https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Q_And_A.php#L219	security@wordfence.com
28	https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Q_And_A.php#L297	security@wordfence.com
29	https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Q_And_A.php#L339	security@wordfence.com
30	https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Quiz.php#L1007	security@wordfence.com
31	https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Quiz.php#L1041	security@wordfence.com
32	https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Quiz.php#L888	security@wordfence.com
33	https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Utils.php#L7829	security@wordfence.com
34	https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.9/classes/Utils.php#L8020	security@wordfence.com
35	https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Ajax.php#L294	security@wordfence.com
36	https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Ajax.php#L507	security@wordfence.com
37	https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Ajax.php#L586	security@wordfence.com
38	https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Announcements.php#L105	security@wordfence.com
39	https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L1997	security@wordfence.com
40	https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Course.php#L2045	security@wordfence.com
41	https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Lesson.php#L186	security@wordfence.com
42	https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Lesson.php#L243	security@wordfence.com
43	https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Lesson.php#L341	security@wordfence.com
44	https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Q_And_A.php#L219	security@wordfence.com
45	https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Q_And_A.php#L297	security@wordfence.com
46	https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Q_And_A.php#L339	security@wordfence.com
47	https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Quiz.php#L1007	security@wordfence.com
48	https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Quiz.php#L1041	security@wordfence.com
49	https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Quiz.php#L888	security@wordfence.com
50	https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Utils.php#L7829	security@wordfence.com
51	https://plugins.trac.wordpress.org/browser/tutor/trunk/classes/Utils.php#L8020	security@wordfence.com
52	https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3518400%40tutor&new=3518400%40tutor&sfp_email=&sfph_mail=	security@wordfence.com
53	https://www.wordfence.com/threat-intel/vulnerabilities/id/55924ea3-373c-4297-a958-5670def1f6c0?source=cve	security@wordfence.com

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-639	ユーザ制御の鍵による認証回避	https://cwe.mitre.org/data/definitions/639.html